Severity by source
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
6DescriptionCVE.org
Access of resource using incompatible type ('type confusion') in Windows OLE allows an authorized attacker to elevate privileges locally.
AnalysisAI
Type confusion in Windows OLE (Object Linking and Embedding) enables authenticated local attackers to escalate privileges across all supported Windows 10, 11, and Server versions (2012-2025). The memory corruption flaw allows low-privileged users to execute code with elevated permissions through incompatible type handling. Vendor-released patches are available for all affected versions. No public exploit identified at time of analysis, though the low attack complexity (AC:L) and lack of user interaction (UI:N) make this accessible to attackers with basic local access.
Technical ContextAI
The vulnerability resides in Windows OLE (Object Linking and Embedding), Microsoft's legacy technology for embedding and linking documents and objects across applications. The flaw is classified as CWE-843 (Access of Resource Using Incompatible Type), commonly known as type confusion. This occurs when code accesses memory or objects using a pointer or reference of an incorrect type, potentially causing the system to misinterpret data structures. In OLE's case, the Component Object Model (COM) infrastructure likely fails to properly validate type casts during object instantiation or method invocation, allowing an attacker to manipulate object vtables or memory layouts. The affected CPE strings indicate this is a Windows core component vulnerability impacting all modern Windows versions from legacy Server 2012 through the newest Windows 11 26H1 and Server 2025 builds, suggesting the vulnerable code exists in foundational OLE32.dll or related system libraries shared across the entire Windows ecosystem.
RemediationAI
Apply Microsoft's security updates immediately through Windows Update or WSUS to patch the vulnerable OLE components. Required minimum patched versions by platform: Windows 10 1607/Server 2016 build 10.0.14393.9060, Windows 10 1809/Server 2019 build 10.0.17763.8644, Windows 10 21H2 build 10.0.19044.7184, Windows 10 22H2 build 10.0.19045.7184, Windows 11 22H3/23H2 build 10.0.22631.6936, Windows 11 24H2/Server 2025 build 10.0.26100.32690, Windows 11 25H2 build 10.0.26200.8246, Windows 11 26H1 build 10.0.28000.1836, Server 2012 build 6.2.9200.26026, Server 2012 R2 build 6.3.9600.23132, Server 2022 build 10.0.20348.5020, and Server 2022 23H2 build 10.0.25398.2274. No workarounds are available; patching is the only effective mitigation. Consult the Microsoft Security Response Center update guide at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-26162 for deployment guidance and verify patch installation through system build numbers in winver.exe.
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-22388